Reader Jason submitted a malicious document he received via email. Although it contains VBA code with string obfuscation that is not too complex, it has a very low VirusTotal detection score. Let width:867px” /> The for loop and the Chr$, Asc and Mid functions are clear indications that function sierra is a decoding function. Let …
Brad wrote a great analysis of an Emotet maldoc send to us by a reader. In this diary, I would like to show how this maldoc can be staticaly analyzed with a couple of tools. oledump.py confirms it is an Office document with VBA macros, as we expected (the M indicators tell us which streams …
Read more “Static Analysis of Emotet Maldoc, (Fri, Jul 28th)”
Running honeypots is always interesting to get an overview of whats happening on the Internet in terms of scanners or new threats. Honeypots are useful not only in the Wild but also on your internal networks. There are plenty of solutions to deploy honeypots with more or less nice features (depending on the chosen solution). …
Introduction On Tuesday 2017-07-25, we were contacted by a reader through our contact page. He sent us a Microsoft Word document, and he included the following message: Received a typical phishing email pointing to the site: anduron.com/XXGX911533. This links downloads a doc with an open document macro. Interestingly, the macro was not encrypted. Understanding the …
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
This week I was told about a scam attack that surprised me due to the criminals creativity. A NYC Uber driver had his Uber account and days incomings stolen by someone who was supposed to be his next passenger. While driving towards the passengers address, the Uber driver received a phone call from a someone …
Read more “Uber drivers new threat: the "passenger", (Mon, Jul 24th)”
In diary entry Office maldoc + .lnk we analyzed a Windows shortcut file (.lnk) and looked for metadata, but it didn width:1037px” /> This time we have more metadata, under TrackerDataBlock we can find the machine name (frank), a VolumeID and a MAC address. The MAC address starts with 00:0C:29, that range is assigned to …
Black Hat US 2017 is debuting and with it a potential concern to most of us. It turns out that one of the conference presentations, entitledBROADPWN: REMOTELY COMPROMISING ANDROID AND IOS VIA A BUG IN BROADCOMS WI-FI CHIPSETS[1],will detail how Broadcom BCM43xx Wi-Fi chipsets can be exploited to achieve full code execution on the compromised …
We width:1067px” /> Didier Stevens Microsoft MVP Consumer Security blog.DidierStevens.com DidierStevensLabs.com (c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
If youdont know our 404project[1], I would definitively recommend having a look at it! The idea is to track HTTP 404 errors returned by your web servers. I like to compare the value of 404 errors found in web sites log files to dropped events in firewall logs. They can have a huge value to …
Read more “Bots Searching for Keys & Config Files, (Wed, Jul 19th)”